Tuesday, February 28, 2012

Security Onion 20120224 now available!

Problem #1

Suppose you're monitoring traffic that has VLAN tags (in both directions). By default, when you right-click the Alert ID in Sguil and request the transcript/pcap, you would get nothing. In order to get transcripts/pcaps to work correctly in Sguil, you would have to manually set VLAN to "1" in pcap_agent.conf.

Problem #2
Suppose you're monitoring traffic that has VLAN tags in one direction but not the other. When you right-click the Alert ID in Sguil and request the transcript/pcap, you would only get the non-VLAN side of the flow. If you set VLAN to "1" in pcap_agent.conf, you would then receive just the VLAN side of the flow.

The updated pcap_agent.tcl and tcpflow allow Sguil to transparently support all cases of traffic with VLAN tags, without VLAN tags, and with mixed VLAN tags. When you right-click the Alert ID and request the transcript/pcap, you should now get the entire flow.

Caveat
httpry doesn't support VLAN tags, so you still won't see HTTP events in Sguil where VLAN tags are involved. However, we'll soon be removing httpry in favor of Bro's HTTP logging, which does handle VLAN tags properly. In the meantime, you can query the Bro logs directly from the command-line using something like the following:

zgrep "192.168.123.234" /nsm/bro/logs/*/http*

New Users
New users can download and install the 20120125 ISO image using the instructions here. The step marked "Install Security Onion updates" will automatically install this update.

In-place Upgrade
Existing Security Onion users can perform an in-place upgrade using the following command (if you're behind a proxy, remember to set your proxy variables as described in the FAQ):

Security Onion

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!